DB-API execute params, am I missing something?
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Fri May 29 05:46:13 EDT 2009
In message <mailman.867.1243574504.8015.python-list at python.org>, Dennis Lee
Bieber wrote:
> On Thu, 28 May 2009 20:57:13 +1200, Lawrence D'Oliveiro
> <ldo at geek-central.gen.new_zealand> declaimed the following in
> gmane.comp.python.general:
>
>>>
>>> >>> db.literal((... "%wildcard%" ...))
>>> (... "'%wildcard%'" ...)
>>
>> Doesn't look like it worked, does it?
>
> If the problem is that you have /user/ input that may have a % sign
> that should NOT be treated as a wildcard, the solution is to train said
> user...
Sounds like a good solution to SQL-injection vulnerabilities, isn't it?
Wonder why no-one thought of that before?
More information about the Python-list
mailing list